How can Citrix help my security posture? That’s the question of the day.
The short answer: With Citrix you keep applications and data off of endpoints. Applications stay in the data center, giving you a more efficient and consistent way of securing, managing and auditing them. The longer answer begins with a portrait of the insecurity landscape.
- Huge attack surface across many application delivery methods – client/server, Web, Mobile and Cloud
- Complexity and the rate of change that are outpacing our abilities to simplify app delivery
- Strained budgets and resources which are allocated for new projects more often than for legacy and older systems. Creating an architectural dig of technologies
- Defenders not adapting fast enough to disruptive technologies and the security challenges they bring
We know that attacks and attack vectors can come from anywhere, and the threats are more sophisticated and organized than ever. Our adversaries collaborate better than we do as defenders. There are entire ecosystems that work together to monetize our data. They are largely driven by profit just like most businesses, but they are unregulated.
Who are these attackers? There are many-disgruntled and sometimes unwitting insiders, hacktivists that rally behind a cause, professional and amateur hackers, industrial espionage, state sponsored, and criminal enterprise. What differentiates them is the target and the motivation.
Different targets require different techniques. Against end users-phishing, social engineering, compromised credentials are particularly effective. Client-side attacks (remarkably similar to server-side) exploit software and OS vulnerabilities using weaknesses in applications, coding languages, applets and extensions. On the network, there are sniffers, relays, DNS redirects, weak authentication, open hotspots and lack of encryption, among others. Don’t discount physical attacks like dumpster diving, eavesdropping, loss and theft.
As organizations embrace the future, we attempt to bridge the security gap between legacy apps and disruptive technologies like Web, Mobile, Cloud, and emerging trends like the Internet of Things and Big Data. These disruptive technologies constantly change the IT landscape and make it even more difficult to come up with a defense strategy.
With the workplace becoming more mobile and people using their own devices, data is everywhere. Endpoints are easily compromised. Operating Systems are not locked down. Applications are installed locally. Add to that the lack of control over privileged accounts, default web browser implementation and third party access and you begin to see why it’s simply not enough to put a perimeter around buildings or devices.
A whole new approach is needed to protect data. Building a perfect perimeter is like building an ancient walled city and hoping to outlast a never-ending siege from an adversary whose weapons are evolving all the time. Walls worked well until siege craft started using gun powder. Attempting to extend the perimeter to end points and low value assets is a losing proposition. There are too many ways into a traditional perimeter and too many ways out…at the same time the perimeter is expanding and getting more porous and IT is losing control and visibility.
Citrix has been simplifying IT for years, moving applications and data off endpoints and into the data center. Making management more efficient and configuration and patching more consistent. That same approach is the inherently more secure architecture for application delivery. End users get access to apps, desktops and data securely whether they are mobile or in the office or in branch offices. We have end users securely working on any device over any network accessing any app and data. This is how it’s done:
- With XenApp and XenDesktop, security controls can be better enforced in the data center, not on endpoints that move from untrusted network to network
- Efficient and consistent configuration and patch management is centralized within the data center;
- Access management through strong authentication support. That’s for applications that don’t natively support it;
- Session Recording for forensic analysis? That’s in there, as well as granular access based on device, location and network scenario.
- With XenMobile mobile apps installed natively on devices, apps are secured
- Data is protected on the device, over the air and between apps with strong encryption. Secure containers have AES 256 encryption for app data;
- Enforce strong authentication using certificates and a secondary app-level PIN and connect to the data center using micro VPNs;
- Secure application data without requiring device enrollment, manage the entire device or just a container for corporate data.
- ShareFile provides secure file sync and sharing with flexible storage options
- Meet data sovereignty, compliance, performance and cost requirements;
- Zero knowledge of data or file and folders names – metadata encryption;
- Data encryption keys are with you, regardless of where the data actually resides.
- NetScaler secures both network and application traffic as a reverse proxy for Web applications and Unified Gateway for Citrix deployments
- Enhanced authentication with nFactor;
- End-to-end SSL/TLS encryption;
- Integrated application firewall and data loss prevention.
Assume all endpoints and the network they are sitting on are compromised. What applications and data should reside on compromised devices? Instead leverage the investment already made in security at the data center and don’t scramble to re-create it on disposable low value assets.
This is especially true in BYOD environments where devices are diverse and harder to manage. Focus on gaining control and visibility at the gateway. End users connect through the NetScaler Gateway which provides multifactor authentication, SSL/TLS encryption and access control. Applications and desktops are centralized and more consistently managed by XenApp and XenDesktop. Mobile applications are managed by XenMobile. File access and sharing is controlled and audited by ShareFile. The disparate matrix of application delivery becomes simplified. The attack surface is reduced. Visibility is increased. Complexity is simplified.